From 327ecbdb2e0e7d8cd82df8b641f9b8776d2c05e5 Mon Sep 17 00:00:00 2001 From: zwzhang Date: Tue, 16 Apr 2024 12:22:53 +0800 Subject: [PATCH] chores: add security docs (#77) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 佑祎 --- README-zh_CN.md | 5 ++++- README.md | 9 ++++++--- SECURITY.md | 22 ++++++++++++++++++++++ embargo-policy.md | 30 ++++++++++++++++++++++++++++++ 4 files changed, 62 insertions(+), 4 deletions(-) create mode 100644 SECURITY.md create mode 100644 embargo-policy.md diff --git a/README-zh_CN.md b/README-zh_CN.md index 2f0ccad7..57e662a1 100644 --- a/README-zh_CN.md +++ b/README-zh_CN.md @@ -78,4 +78,7 @@ Koordinator is licensed under the Apache License, Version 2.0. See [LICENSE](./L ## Star History [![Star History Chart](https://api.star-history.com/svg?repos=koordinator-sh/koordinator&type=Date)](https://star-history.com/#koordinator-sh/koordinator&Date) ---> \ No newline at end of file +--> + +## 安全 +对于发现的安全漏洞,请邮件发送至kubernetes-security@service.aliyun.com,您可在[SECURITY.md](./SECURITY.md)文件中找到更多信息。 diff --git a/README.md b/README.md index c31bd9d2..2b184b2a 100644 --- a/README.md +++ b/README.md @@ -21,12 +21,12 @@ running beyond K8s such as Apache Haddop YARN. As a resource management platform numbers of computing engines including MapReduce, Spark, Flink, Presto, etc. In order to extend the co-location scenario of Koordinator, now the community has provided Hadoop YARN extended suits -`Koordinator YARN Copilot` in BigData ecosystem, supporting running Hadoop YARN jobs by `koord-batch` resources with +`Koordinator YARN Copilot` in BigData ecosystem, supporting running Hadoop YARN jobs by `koord-batch` resources with other K8s pods. The `Koordinator YARN Copilot` has following characteristics: - Open-Source native: implement against open-sourced version of Hadoop YARN; so there is no hack inside YARN modules. - Unifed resource priority and QoS strategy: the suits aims to the `koord-batch` priority of Koordinator, and also managed by QoS strategies of koordlet. -- Resource sharing on node level: node resources of `koord-batch` priority can be requested by tasks of YARN or `Batch` pods both. +- Resource sharing on node level: node resources of `koord-batch` priority can be requested by tasks of YARN or `Batch` pods both. - Adaptive for multiple environments: the suits can be run under any environment, including public cloud or IDC. ## Quick Start @@ -81,4 +81,7 @@ Koordinator is licensed under the Apache License, Version 2.0. See [LICENSE](./L ## Star History [![Star History Chart](https://api.star-history.com/svg?repos=koordinator-sh/koordinator&type=Date)](https://star-history.com/#koordinator-sh/koordinator&Date) ---> \ No newline at end of file +--> + +## Security +Please report vulnerabilities by email to kubernetes-security@service.aliyun.com. Also see our [SECURITY.md](./SECURITY.md) file for details. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..d6f814d1 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,22 @@ +# Security Policy + +- [Security Policy](#security-policy) + - [Reporting security problems](#reporting-security-problems) + - [Vulnerability Management Plans](#vulnerability-management-plans) + - [Critical Updates And Security Notices](#critical-updates-and-security-notices) + +## Reporting security problems + +**DO NOT CREATE AN ISSUE** to report a security problem. Instead, please +send an email to kubernetes-security@service.aliyun.com + +Please follow the [embargo policy](./embargo-policy.md) for all security-related problems. + +## Vulnerability Management Plans + +### Critical Updates And Security Notices + +We learn about critical software updates and security threats from these sources + +1. GitHub Security Alerts +2. [Dependabot](https://dependabot.com/) Dependency Updates diff --git a/embargo-policy.md b/embargo-policy.md new file mode 100644 index 00000000..04c479c8 --- /dev/null +++ b/embargo-policy.md @@ -0,0 +1,30 @@ +# Embargo Policy + +This policy forbids members of this project's security contacts any others +defined below from sharing information outside of the security contacts and this +listing without need-to-know and advance notice. + +The information members and others receive from the list defined below must: + +* not be made public, +* not be shared, +* not be hinted at +* must be kept confidential and close held + +Except with the list's explicit approval. This holds true until the public +disclosure date/time that was agreed upon by the list. + +If information is inadvertently shared beyond what is allowed by this policy, +you are REQUIRED to inform the security contacts kubernetes-security@service.aliyun.com of exactly what +information leaked and to whom. A retrospective will take place after the leak +so we can assess how to not make this mistake in the future. + +Violation of this policy will result in the immediate removal and subsequent +replacement of you from this list or the Security Contacts. + +## Disclosure Timeline + +This project sustains a **disclosure timeline** to ensure we provide a +quality, tested release. On some occasions, we may need to extend this timeline +due to complexity of the problem, lack of expertise available, or other reasons. +Submitters will be notified if an extension occurs.